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A few words from the team 


First of all, we would like to thank you for purchasing or considering the purchase of IDA Pro. If 
you decide to buy IDA Pro, let us stress that we don't see this as an end, but rather as the beginning of a 
relationship : our goal is not only to offer timely technical support but also to respond to your future needs. 
That is why your feedback is so valuable to us : please fell free to contact us; IDA Pro's users have made it 
what it is now. 


Based on your feedback, we continue to improve IDA Pro. Be sure to regularly check our web 
pages for enhancements, corrections and new releases. All IDA Pro customers are entitled to free updates 
over the Internet for one year. 


Writing a manual for IDA Pro is probably an impossible task : disassembler users are highly skilled 
specialists, IDA itself is hard to use, counterintuitive at times and, difficult to master. In addition, IDA Pro is 
so versatile that what applies to Java class disassemblies hardly matters for segmented 80x86 architectures 
and vice-versa. No matter how hard we try, the perfect manual is out of our reach. It is unlikely that we 
will ever be able to cover all your questions in advance but we are here to help you. Therefore, this startup 
guide does not aim to be an exhaustive introduction to IDA Pro. Rather, our hope is that it will expose the 
general philosophy behind its operation and help you get a faster start with IDA Pro. 


Ilfak Guilfanov, Main Developer 
Pierre Vandevenne, Manager 



Screen Resolution 


IDA Pro also runs on non-Windows platforms, that is why it is still a character mode application. The 
default 80x25 text screen is probably not the environment you want to work in. When it first starts, IDA 
Pro will offer you a choice of available resolutions. 

If you run the DOS32 version of IDA Pro (ID AX), the program will adapt to any active resolution, 
provided it is within bounds accepted by your video card. For further configuration, you may want to 
examine the IDA.CFG configuration file and customize the workspace resolution to your liking. 




Uindou size: Normal <80x25> 

Uindou size: Medium <100x35> 
Uindou size: Uide <132x25> 
Uindou size: Big <132x43 > 




Load this file in any text editor and search for SCREEN_MODE. You'll find something like this, where 

#if def MSDOS 

SCREEN_MODE = 0 // Screen mode to use 

// 0 - don't change screen mode 
// DOS: AL for INT 10 

#else 

SCREEN_MODE = 0x8040 // Screen mode to use 

// high byte/cols, low byte/rows // 

i.e. 0x5020 is 80cols, 32rows 


which we suggest you adapt to your need. 



When IDA Pro loads a binary image, it will try to determine the format of the image and the 
processor that was targeted. If it cannot automatically make this determination, you will see the following 
dialog 



File name : D : \I DA38VREGEXP . 
inary file 


oading segment! 
Loading f f set! 


0x1000 

0x0 


[X] reate segments 
OK ■ Cancel 


I II! < in paragraphs > 

i| 


FI fir Hell 


£■ 


You can then select the appropriate processor for your project. Some of the processors we support need 
to be specified explicitly, for example if you want to force the endianness (ARM) or use specific processor 
extensions such as MMX or 3D-Now, you will have to select them manually. 


ARM processors 
ARM processors 
ARM processors 
DEC series 
Hitachi SH3 
Intel 196 series 
Intel 51 series 
Intel 51 series 
Intel 51 series 
Intel 51 series 
Intel 51 series 
Intel 80x86 processors 
Intel 80x86 processors 
Intel 80x86 processors 
Intel 80x86 processors 

Intel 80x86 processors 
Intel 80x86 processors 
Intel 80x86 processors 
Intel 8 0x86 processors 


ARM 

ARM710a 

ARNB 

PDP11 

SH3 

80196 

80251b 

80251s 

8051 

80930b 

80930s 

80286p 

80286r 

80386p 

80386r 

■ 

: HH4Ubr 
: 80586p 
: 80586r 

: 80686p 


Often, IDA Pro will auto detect the processor type (Intel 386 in protected mode for example), the 
file type (Portable Executable for example) and will use the information collected from the header of the file 
to initiate auto-analysis. This will start exploring the obvious execution paths in the target program. 








Analysis Options 


Analysis options can be defined initially from this menu. 





The defaults are usually good for most purposes and will not be reviewed in details here. 
Remember that all the IDA Pro analysis parameters can also be configured through the IDA Pro 
configuration file and the application menus. It should be noted that the configuration file is probably the 
best place to store settings which you frequently use. 


Defining Code 


Sometimes, either because the file has no specific entry point (a ROM for example) or because the 
automatic analysis has not found an execution path, it will be necessary to help IDA Pro. This combination 
of automatic analysis and human intervention is what allows IDA Pro to obtain results that the 
non-interactive products cannot reach. 

In the following situation, assume IDA Pro hasn’t recognized that this sequence of byte is actually a 
meaningful code sequence. Move your cursor on the seg000:0b91 line and press C 


segOOO : 0B9B 

db 

OBOh 

r 


segOOO : 0B9C 

db 

9 Oh 

r 

E 

segOOO : 0B9D 

db 

2 6h 

; 

& 

segOOO : 0B9E 

db 

8 8h 

; 

e 

segOOO : 0B9F 

db 

4 

r 


segOOO : OBAO 

db 

OBEh 

r 

¥ 

segOOO : 0BA1 

db 

1 

; 


segOOO : 0BA2 

db 

0 

; 


segOOO : 0BA3 

db 

2 6h 

r 

& 

segOOO : 0BA4 

db 

8Ah 

r 

e 

segOOO : 0BA5 

db 

4 

; 


seg000:0BA6 

db 

3Ch 

; 

< 

segOOO : 0BA7 

db 

2 Oh 

r 


segOOO : 0BA8 

db 

0C7h 

r 

A 

seg000:0BA9 

db 

6 

; 


segOOO : OBAA 

db 

OFh 

; 


segOOO : OBAB 

db 

5 

r 


segOOO : OBAC 

db 

1 

r 


segOOO : OBAD 

db 

0 

; 


segOOO : OBAE 

db 

0F8h 

; 

O 

segOOO : OBAF 

db 

OFh 

r 


segOOO : OBBO 

db 

8 4h 

r 

a 

segOOO : 0BB1 

db 

OClh 

; 

- 

segOOO : 0BB2 

db 

0 

; 



And IDA Pro converts this sequence to 

seg000:0B9B mov al, 90h 


segOOO : 0B9D 

mov 

es : [ 

si] , al 

segO 00 : 0BA0 

mov 

si , 

1 

segOOO : 0BA3 

mov 

al. 

es : [ si ] 

segOOO : 0BA6 

cmp 

al. 

2 Oh 

segOOO : 0BA8 

mov 

word 

L_1 4 8_5 OF 

segOOO : OBAE 

clc 



segOOO : OBAF 

jz 

loc_ 

_0_C7 4 


IDA Pro will not always automatically recognize all the code in a given program : this situation is 
perfectly normal. It is possible to influence how IDA Pro handles unrecognized code through the analysis 
option configuration panel. The kernel analysis options have an impact on the auto-analysis IDA Pro 
performs. 


[X] ark typical code sequences as code 
[X] elete instructions uith no xrefs 
[X] race execution flou 
[X] Create unctions if call is present 
[X] nalyse and create all xrefs 
[X] se flirt signatures 
[X] Create function f data xref data->code32 exists 
[X] enane Jump functions as j_. . . 

[X] Rename mpty functions as nullsub_. . . 

[X] Create tack variables 
[X] Trace stack ointer 

[X] Create ascii string if data ref exists 
[X] Convert 2bit instruction operand to offset 
[X] Create ffset if data xref to seg32 exists 
[X] Ma e final analysis pass 
[X] ocate and create Jump tables 

oagulate data segments in the f inal pass 


FI for Help 


In most cases, the default options offer a good compromise between accuracy and convenience. If 
IDA Pro identified code where it should not have, it may be a good idea to try deactivating the Make 
final analysis pass option. In those situations, where some code is not identified because it is not located 
in expected locations, Coagulate Data Segments may be useful. Remember that these analysis options 
can also be defined through the configuration file and, in most cases, this is the best place to modify them. 

** When the input program or binary has been encrypted or compressed, IDA Pro will not 
be able to disassemble the part of the program that is not in clear text. In this situation, you have 
to solutions - either write a decryptor in IDA C or use a file unpacker to pre-process the target 
file. 


Pressing ‘C’ in an undefined section restarts the IDA Pro code analyzer. All execution paths 
starting from the newly defined code will be explored and analyzed. Sometimes, a simple manual 
code definition will help IDA Pro discover dozens of execution paths. Note : this operation will not 
adversely affect what you have already defined. 


Defining Strings and Data 

In this situation, IDA Pro failed to identify what is clearly an ASCII string. This misidentification 
occurred because the string is not actually directly referenced by the program 


dseg : 0 1 4 6 
dseg : 0 1 4 7 
dseg : 0 1 4 8 
dseg : 0 1 4 9 
dseg : 0 1 4 9 
dseg : 0 1 4 A 
dseg : 0 1 4B 
dseg : 0 1 4C 
dseg : 0 1 4D 
dseg : 0 1 4E 
dseg : 0 1 4F 
dseg : 0 1 5 0 
dseg : 0 1 5 1 
dseg : 0 152 
dseg : 0 153 
dseg : 0 1 5 4 
dseg : 0 155 
dseg : 0 15 6 
dseg : 0157 

dseg : 0 158 
dseg : 0 15 9 
dseg : 0 1 5A 
dseg : 0 1 5B 


db 

ODh 

r 


db 

1 4h 

; 


db 

4 3h 

; 

c 

db 

6 lh 

r 

a 

db 

6 lh 

r 

a 

db 

6Eh 

} 

n 

db 

2 Oh 

} 


db 

6Eh 

r 

n 

db 

6Fh 

r 

o 

db 

7 4h 

} 

t 

db 

2 Oh 

; 


db 

6Fh 

r 

o 

db 

7 Oh 

r 

P 

db 

65h 

} 

e 

db 

6Eh 

} 

n 

db 

2 Oh 

r 


db 

6 6h 

r 

f 

db 

6 9h 

} 

i 

db 

6Ch 

} 

1 

db 

65h 

; 

e 

db 

2 Oh 

; 


db 

2Eh 

; 


db 

2 4h 

r 

$ 


Move your cursor on the dseg:0148 line and press A. The string is now defined and an automatic 
name has been generated. From now on, this name will be used by all past and future references to this 
string, either the ones IDA Pro will discover or the ones you will tell IDA about. 


dseg:0148 aCanNotOpenFile db 'Can not open file .$' 

This string is $ terminated. IDA Pro usually handles most string types automatically. Special 
situations are best handled through the ASCII Style dialog box. 




Create a string now: 

style {$ terminated} 
ascal style {length byte} 
ide pascal {length 2bytes} 
licode 

liaracter terminated 


! Setup default string type: 
C-style {0 terminated} 

DOS style terminated} 
Pascal style {length byte} 
Uide pascal {length 2bytes} 
Unicode 

Character terminated 


irst termination character] 
econd termination characterl 


The word at dseg:0146 is actually an attribute used when the string is displayed. Moving the cursor 
on that line and pressing D' will eventually cycle through the 'db' and the 'dw' data type. Either one could 
be the one you wish to define, depending on how the program actually handles those values. Had the next 
word been undefined, dseg:0146 could eventually have been defined as a a 'dd'. You may also define a 
structure. 


Undefining Things 


In this admittedly artificial example, a sequence of spaces has been wrongly converted to three dd's 
and a meaningless sequence of instructions, (these conversions do not occur anymore in IDA Pro 3.82 and 
up) 





dseg : 02B6 dd 20202020h 
dseg : 02BA dd 20202020h 
dseg : 0 2BE dd 20202020h 
dseg:02C2 ; 


dseg : 02C2 

and 

[bx+si ] , 

ah 

dseg : 02C4 

and 

[bx+s i ] , 

ah 

dseg : 02C6 

and 

[bx+si ] , 

ah 

dseg : 02C8 

and 

[bx+si ] , 

ah 

dseg : 02CA 

and 

[bx+si ] , 

ah 

dseg : 02CC 

and 

[bx+si ] , 

ah 

dseg: 02CE 

and 

[bx+si ] , 

ah 

dseg : 02D0 

and 

[bx+si ] , 

ah 

dseg : 0 2D2 

and 

[bx+si ] , 

ah 

dseg : 02D4 

and 

[bx+si ] , 

ah 

dseg : 0 2D 6 

and 

[bx+si ] , 

ah 

dseg : 02D8 

and 

[bx+si ] , 

ah 

dseg : 02DA 

and 

[bx+si ] , 

ah 

dseg : 0 2DC 

and 

[bx+si ] , 

ah 

dseg: 02DE 

and 

[bx+si ] , 

ah 

dseg : 02E0 

and 

[ si ] , ah 



It is not possible to redefine them immediately as an ASCII string. Incorrect definitions must be 
undefined before new definitions are applied. 

First move the cursor on dseg:02B6 and press 'U' to undefine all dd's in turn, then undefine the 
stream of instructions. Now, the 'A' key can be used to redefine the stream of 20h as an ASCII string. By 
now you are probably thinking that this is a bit slow. Isn't there a faster way ? You bet there is. Simply 
move the cursor on the first line you want to undefine, press SHIFT and DOWN ARROW simultaneously 
to mark the area to undefine and then press TJ'. 

The Undefine command is your best friend. Although IDA Pro Is not likely to produce an output as 
outrageous as our example, misdefinitions can happen, particularly if data is moved around at run-time and 
references to some addresses are meaningless on the binary itself. Because one single change code 
definition can change the whole disassembly, a typical undo is not practical in IDA Pro as it would force 
IDA Pro to save the state of the entire disassembly, a time consuming operation. 


Arrays 


Arrays are a fairly obvious extension to the standard data types. Their definition is 



straightforward and controlled by this dialog box that pops whenever you attempt to define an array. 







Tip ! One of the most frequently asked question about array definition is : "How do I fit more items 
on a line". Well, the answer is at the same time obvious and hard to find : you just increase the line length. 
Consider these examples : 


iseg:02B6 
iseg : 02B6 
iseg : 02B6 
Aseg : 02 B6 
dseg : 02B6 
dseg:02B6 
dseg : 02B6 
iseg:02B6 
iseg : 02 B6 


1 


[X ] Line refixe 


1000:0FE4 
1000:0FE4 
1000:0FE4 
1000:0FE4 
^ [X] 


90 




ext representation 


Number of opco e bytes 


loc_0_FE4: 


[X] 
[ ] 


se segment names 

egment addresses 
notion offsets 


nop 


I structions indention 



Mar ±n| 

^length of 
arguments of 
data directives} 


Now this 



1000:0FE4 
1000:0FE4 
1000:0FE4 
1000:0FE4 90 


<-i 


loc_0_FE4: 


[X] se segment names 
[X] egment addresses 
[ ] unction offsets 


nop 


I structions indention 

~ j — 4- a — 



<uo id> 

L 


Mar inEE£li|i 
^length of 
arguments of 
data directives} 


See the difference ? The Text Representation menu is the key to wider arrays ! 







Operands 


IDA Pro has a wide array of options when it comes to operand, as shown in the following menu. 
One interesting thing to know is that the block shortcut first encountered with the undefine command still 
works. Define a block and convert "en-masse". 



Using Structures 


Soon, you will want to use IDA Pro more advanced features - for example structures. It is possible 
to interactively define and manipulate structures in the disassembly. Consider this simple sample C 
program: 

#include <stdio.h> 
struct client { 
char code; 
long id; 
char name [ 32 ] ; 
client *next; 

}; 


void print_client s (client *ptr) { 
while ( ptr != NULL ) { 

printf("ID: %41d Name: %-32s\n" , ptr->id, ptr->name) ; 
ptr = ptr->next; 

} 

} 


Here is the disassembly without any structures defined, as IDA Pro automatically generates it: 


@print_clients$qp6client proc near 


ptr 


loc_l_l 9 : 


= word ptr 4 


push 

bp 


mov 

bp. 

sp 

push 

si 


mov 

si. 

[bp+pt r ] 

jmp 

short loc_l_32 


; CODE XREF : pr int_cl ient s ( cl ient *)+24j 

mov ax, si 

add ax, 5 

push ax 



loc 1 32: 


push 

word ptr [si+3] 

push 

word ptr [si+1] 

mov 

ax, offset ald4: 

push 

ax 

call 

_pr int f 

add 

00 

m 

mov 

si, [si+25h] 


; CODE 

or 

si , si 

jnz 

loc_l_l 9 

pop 

si 

pop 

bp 

retn 



; CODE XREF : pr int_cl ient s ( cl ient *)+7j 


@print_client s $qp6client endp 


In order to use meaningful names instead of numbers, we open the structure view (View - 
Structure) and press 'Ins' to define a new structure type. Structure members are then added with the 'D' 
key for data and the 'A' key for ASCII strings. As we add new structure members, IDA Pro automatically 
names them. Thereafter, you may change any member's name by pressing N. 


client_t struc 

code 

id 

name 

next 

client_t ends 


db ? 
dd ? 

db 32 dup ( ? ) 
dw ? 


Finally, the defined structure type can be used to specify the type of an instruction operand, (menu 
EditlOperand typesIStruct offset). 


@print_client s $qp6client 
ptr = word 

push 
mov 
push 
mov 
jmp 


proc near 
ptr 4 
bp 

bp , sp 
si 

si, [bp+ptr] 
short loc_l_32 


loc_l_l 9 : 


; CODE XREF: print_cl ient s ( cl ient *)+24j 


mov 

ax, sr 

add 

ax, client_t . name 

push 

ax 

push 

word ptr [ si+client_t . id+2 

push 

word ptr [ si+client_t . id] 

mov 

ax, offset ald4 ldName32 s 

push 

ax 

call 

_pr int f 

add 

sp, 8 

mov 

si, [si+client_t .next] 


loc_l_32 : 

or si, si 

jnz loc_l_l 9 

pop s i 

pop bp 

retn 

@print_clients$qp6client endp 


; CODE XREF: print_cl ient s ( cl ient *)+7j 



What about structures within structures ? 


Yes, it is possible. First, define each structure by itself. Then, from within the higher level 
structure, use alt-Q to embed an instance of the member structure. Here is the result. 


A S amp le S t rue t ur e 

struc 

AUord 

dw ? 

An Array 

dw 32 dup<?> 

AByte 

db ? 

f ield_43 

AnotherOne ? 

A Sample Structure 

ends 


AnotherOne 

struc 

; XREF: 0"FF00014B4r 

f ield_0 

db ? 


AnotherOne 

ends 



Enumerated Types 


You can use IDA Pro to interactively define and manipulate enumerated types in the disassembly. 
Consider this simple sample C program: 


enum color_t { 

BLACK, /* dark colors */ 

BLUE, 

GREEN, 

CYAN, 

RED, 

MAGENTA, 

BROWN, 

LIGHTGRAY, 

DARKGRAY, /* light colors */ 

LIGHTBLUE, 

LIGHTGREEN, 

LIGHTCYAN, 

LIGHTRED, 

LIGHTMAGENTA, 

YELLOW, 

WHITE 

} ; 


enum day_t { MONDAY, TUESDAY, WEDNESDAY, THUSDAY, FRIDAY, SATURDAY, SUNDAY }; 
enum bool_t { FALSE, TRUE }; 

int is_suitable_color (day_t day, color_t color) { 

if ( (day == SUNDAY | | day == SATURDAY) && color == RED ) return TRUE; 
if ( color == BLACK | | color == BLUE ) return TRUE; 
return FALSE; 

} 

In order to use meaningful names instead of numbers, you simply have to open the enums window and 
press insert to define a new enumerated type. 




oooooooo 

00000000 

oooooooo 

oooooooo 

00000001 

00000001 

oooooooo 

oooooooo 

oooooooo 

oooooooo 

00000001 

00000002 

00000003 

00000004 

00000004 

oooooooo 

oooooooo 

oooooooo 

oooooooo 

00000001 

00000002 

00000003 

00000004 

00000005 

00000006 


■ Boolean types 

■ enun bool_t 
FOLSE 

TRUE 


■ standard PC palette 
; enun colort 
BLOCK = 0 

BLUE = 1 

GREEN = 2 

CVON = 3 

RED = 4 


■ Days of week 

; enun dayt 

MONDAY 

TUESDAY 

WEDNESDAY 

THURSDAY 

FRIDAY 

SATURDAY 

SUNDAY 




Stack Variables 


Obviously the following disassembly could be improved : the parameter passing is far from evident, 
we simply know that a certain number of bytes are passed to the function. 


J 

Sub 

rout 

i n e 

■ This 

function takes 

3 long 

arguments 

fncl23 

proc i 

near 



push 

14h 



call 

CHK 


push 

ebx 



pioy 

edx. 

[esp+lOh] 


push 

edx 



pioy 

ebx. 

[esp+lOh] 


push 

ebx 



pioy 

eax. 

[esp+lOh] 


ipiul 

eax. 

ebx 


ipiul 

eax. 

edx 


push 

eax 



call 

func2 



add 

esp. 

OCh 


pop 

ebx 



retn 



fncl23 

endp 




IDA Pro will automatically recognize the parameters passed on the stack. Don't you prefer this 
representation ? 


fncl23 proc near 

argl = duord ptr 4 

arg2 = duord ptr 8 

arg3 = duord ptr OCh 

push 1 4h 

call 

push ebx 

pioy edx, [esp+4+arg3] 

push edx 

noy ebx, [esp+8+arg2] 

push ebx 

noy eaXj [esp+OCh+argl ] 

ipiul eax, ebx 

ipiul eax, edx 

push eax 

call 

add esp, OCh 
pop ebx 

r 0 tn n=["]^= = Stack of fncl23 

fncl23 ondp 00000000 

00000000 r db 4 dupf?) 

; 00000004 argl dd ? 

TEXT ends 00000008 arg2 dd ? 

0000000C arg3 dd ? 

; D0000010 

00000010 ; end of stack yariabl 0 s 

; Scgpiant type: Zero-lengt 
CONST segpient du 

CONST ends 


Just as about everything in IDA Pro, stack variables may be given meaningful names. Here is how 
to do it. The stack variables of any function can be reached by pressing "CTRL-K" when the cursor is 




located at any position in that function. The local stack window appears and the 'N' key can be used to 
name stack variables. Try it an see for yourself ! 


FFFFFFE8 




FFFFFFE8 




FFFFFFE8 

uar_18 

dd 

7 

FFFFFFEC 

uar_14 

db 

7 

FFFFFFED 

uar_13 

du 

7 

FFFFFFEF 

uar_ll 

dd 

7 

FFFFFFF3 

uar_D 

dd 

7 

FFFFFFF7 


db 

7 

FFFFFFF8 

fl_Ualue 

dd 

7 

FFFFFFFC 

uar_4 

dd 

7 

00000000 

s 



00000010 

r 



00000014 




00000014 





Programming with I DC 


In a typical disassembly, there are a lot of repetitive tasks that could be automated or special 
situations that require an additional bit of control. IDA Pro offers IDC, a powerful internal C-Like 
language. It is documented in the IDC.IDC files and several samples examples are provided with the 
standard distribution. You may want to examine them carefully. Below is a real life practical example. 

Using IDC to analyze encrypted code 

This small tutorial demonstrates how to use IDC to decrypt part of a program during analysis. The 
sample file is a portion of the Ripper virus. 


The binary image of the virus is loaded into IDA and analysis is started at the entry point. 


loc_0_40 : 


; CC 


cli 



xor 

ax, ax 


nog 

ss, ax 


assume ss=nothing 


nou 

sp, 7C00h 


st i 



nou 

si, 7C50h 


push 

cs 


call 

near ptr sub_0_E2 


db 21h 



db 5 Eh 

. A 


db 0Bh 

; 


db 0B9h 

; i! 


db 0AEh 

; « 


JJ 



Obviously, the bytes right after the call don't make sense, but the call gives us a clue : it is a decryption 
routine. What we need is a small IDC routine to mimic the decryption and get at the plain text bytes. 


sub_0_E2 

proc far 


; CODE XREF: 

seg000 : 004DTp 


nou 

di, si 





push 

cs 





pop 

ds 





push 

cs 





pop 

es 





assume 

es :seg000 




loc_0_E8 : 




; CODE XREF: 

sub_0_E2 +141 j 


lodsb 






xor 

al, 0AAh 





stosb 






push 

di 





and 

di, 0FFh 





cmp 

di. 

i ■ j 




pop 

di 





jns 

loc_0_E8 





xor 

ax, ax 





mou 

ds, ax 








We create a small IDC program that mimics the decryption routine. 


static decrypt (from, size, key ) 
auto i , x; 

for ( i=0; i < size; i = i + 1 ) { 

x = Byte (from) ; 
x = (x A key) ; 

PatchByte (from, x) ; 
from = from + 1; 

} 


// we define the variables 

// fetch the byte 
// decrypt it 
// put it back 
// next byte 


We save this IDC routine into a file and press F2 to load it into IDA's interpreter. 



Then, we press shift-F2 to call it with the appropriate values. Please note the linear address used for the 
starting point. Pressing OK executes the statement. 



Now that the bytes are decrypted 



loc_0_40 : 





cli 



xor 

ax, ax 


nou 

ss, ax 


assume ss=nothing 


nou 

sp, 7C00h 


st i 



nou 

si, 7C50h 


push 

cs 


call 

near ptr sub_0_E2 


db 

8Bh 

i 1 


db 

0F4h 

; m 


db 

081 

; ± 


db 

13h 



db 

4 



db 

48h 

i H 


db 

48h 

; H 


db 

50h 

; P 


db 

0Blh 

; U 


db 

6 



db 

0D3h 

; e 


db 

0E0h 

; 6 


db 

8 Eh 

i S 


db 

0C0h 

- L 


db 

33h 

; 3 


db 

0FFh 



db 

0B9h 

; J| 


db 

0 



db 

1 



db 

0F3h 

i i 


db 

085h 

; n 


We move the cursor to offset 0x50 and press C to inform IDA that there is now code at that location. 


loc_0_40: 

cli 



xor 

ax, ax 


nou 

ss, ax 


assume 

ss :nothing 


mou 
st i 

sp, 7C00h 


mou 

si, 7C50h 


push 

cs 


call 

near ptr sub_0_E2 

loc_0_50: 


mou 

si, sp 

: 

mou 

ax, ds:413h 


dec 

ax 


dec 

ax 


push 

ax 


mou 

cl, 6 


shl 

ax, cl 


mou 

es, ax 


xor 

di, di 


mou 

cx, 100h 


repe mousu 


mou 

ax, 79h 


push 

ds 


push 

es 


push 

retf 

ax 

aFuckEmUp 

db J FUCK J ,27h,'EM UP ?' 


And the code to allocate memory for the vims appears, along with a rather impolite message... We can 
now resume analyzing the rest of the vims. 




FLIRT 


Fast Library Identification and Recognition Technology is another revolutionary IDA Pro 
capability. This technology allows IDA Pro to automatically recognize calls to the standard libraries of a 
long list of compilers. It makes the disassembly easier to read and saves your time. Who would want to 
waste time disassembling long runs of code, only to discover that is was a sequence of calls to the standard 


push 

call 

add 


nou 

call 

call 

push 

push 

call 

add 

push 

call 

add 

call 

push 

call 

add 

call 


eax, ax Flirt identifies standard 

sub_0_BlB 
large 190050b 
large! 0001 h 



9 0001 h 


cup 

jns 

mow 

call 


_clreol 
offset aA Sample Of T he Re 
_printf 
sp, 2 
sub_0_D22 
ax, 2 
loc_0_8C2 
word_350_AA0, 0 
sub_0_8F8 


; CODE XREF: 

large 190050b 
large 10001h 
_uindou 
sp, 8 

large 190001b 
_gotoxy 
sp, 4 
_clreol 

offset aDoVouUantloSao 

_printf 

sp, 2 

sub_0_D22 

ax, 1 

locret_0_8F7 
sub_0_C?7 


loc_0_8C2 : 

push 
push 
call 
add 
push 
call 
add 
call 
push 
call 
add 
call 
cmp 
jnz 
call 

=000108E3 : s ub_0_76 B +1 78 
s 0:09AA: A lrea du— da £ 

Standard library: TCC/TCC++/BCC++ 16 
seg000:09AA: Already aai,* ux uuJc <hinL 
dseg:lFC9: Already data or code <hint: make ' unexplored J > 

oo - CO - no TL» ^ 4- i ^..4 i -J - 1 


s ub_0_76 B +1 4C 


bit 


)iler has been ident 

jnak e ' unexplored 1 > 
DOS 

make ' unexplored' > 


library functions ? 


As you can see in the above screen capture, IDA Pro usually detects supported compilers 
automatically. However, this identification is not always 100% successful, for example because the 
application you are disassembling has been compiled with some specific version of a widespread compiler : 
this is the case for small Microsoft Windows utilities such as clock.exe. One other situation where the 
identification may fail is when compiler information has been stripped out of the target program, as it 
happens with some viruses written in high-level languages. Finally, if the compiler is not supported, 
recognition will fail. 


If you suspect that the target program has been compiled with a supported compiler but FLIRT 
does not kick in automatically, you can force the application of library identifications signatures. In the 
example pictured on the following page - program compiled with Delphi 3 - FLIRT has not recognized the 
compiler, as the signature view does not fist any signature set as applied. 



File State ttfunc 

<empty> 


Library name 


Z iDE 

^ODE 

]ODE 

"ODE 

"ODE 

"ODE 

jODE 

jODE 

20DE 

^ODE 

jODE 

"ODE 

"ODE 

jODE 


0045 479 C 

0045 479 C 
0045 479 C 
0045 479 C 
0045 479 C 
0045 479 C 
0045 479 C 
0045 479 C 
0045479C start 
0045 479 C 
0045 479 D 
0045 479 F 
0045 47 A 2 
0045 47 A 7 


assume ds:nothii 


public start 
proc near 
push ebp 

mou ebp, 

add esp, 

nou eax. 


esp 

0FFFFFFF4h 
offset loc_0_454614 


call 


s ub_0_405 4D0 


a riQf'- 


Pressing the INS key in the signature window displays the list of available signatures. 


I 


File Optional 


List of available library modules 


AZTEC Aztec u3.20d 

B32UCL Borland Uisual Component Library & Package 

B5132MFC Borland 5.0x MFC adaptation 
B516CGU BCC u4.5/u5.x Code Guard 16 bit 

B532CGU BCC v4.5/u5.x CodeGuard 32 bit 

BC15BIDS BCC++ for OS/2 classlib 

BC15C2 BCC++ for OS/2 runtime 

BC150UL BCC++ for OS/2 OUL 

BC31CLS TCC++/BCC++ classlib 

BC310ULU BCC++ v3.1 OUL 

BC31RTD TCC/TCC++/BCC++ 16 bit DOS 

BC31RTU BCC++ v3.1 windows runtime 

BC31TUD TCC++/BCC++ TUision 

BH16CLS BCC u4.x/5.x class library 16 bit 
BH16DBE Borland DBE 16 bit 

BH16GBFD BCC u4.x/5.x BGI graphics 

BH160CF Borland OCF 16 bit 

BH160UL Borland OUL <2/2. 5> 16 bit 

BH16RD0S BCC v4.x/5.x DOS runtime 

1/101 


Applying the Delphi 3 Visual Component Library gives returns this result 



f#P0439A27 


a^jrn 

4 


loc_0_439A28: 

mou 

call 

retn 

; DATA XBEF: CGDE:004390F4 
; CODE: 0043 B3 48 lo ... 

eax, [eax+150h] 

PTCanuasPTextHeight 


loc_0_439A34: 

mou 

call 

; DATA XBEF: CODE:004390F8 
; CODE: 0043 B34Clo ... 

eax, [eax+150h] 

PTCanuasPTextUidth 

— 00439A25 : 

retn 

: sub_0_4399D0+55 

- 


1697 functions have been identified, resulting in a much more understandable disassembly. What if your 
compiler is unsupported, you still may benefit from the FLIRT technology, at least if you have access to 
your compiler libraries. By downloading our tools and generating your own FLIRT databases, you will be 
able to attain the same high level of recognition that you get with the shipping defaults. 


Processor SDK 


A processor SDK exists. It is available for free to all of our existing customers. At this stage, it is 
officially unsupported, although we do provide some support when we can. How difficult is it to create 
your own processor module ? Well, frankly, it is not an easy task.... 

To be continued and expanded... 



